Download
| Alert*
|
oval:org.secpod.oval:def:704704
dotclear is installed oval:org.secpod.oval:def:1900800 Dotclear before 2.10.3, when the Host header is not part of the web server routing process, allows remote attackers to modify the password reset address link via the HTTP Host header. oval:org.secpod.oval:def:1900921 XSS was discovered in Dotclear v2.11.2, affecting admin/blogs.php and admin/users.php with the sortby and order parameters. oval:org.secpod.oval:def:1901112 Cross-site scripting vulnerability in admin/users.php in Dotclear 2.12.1 allows remote authenticated users to inject arbitrary web script or HTML via the nb parameter . oval:org.secpod.oval:def:1901093 Unrestricted file upload vulnerability in the fileUnzip->unzip method in Dotclear before 2.10.3 allows remote authenticated users with permissions to manage media items to execute arbitrary code by uploading a ZIP file containing a file with a crafted extension, as demonstrated by .php.txt or .ph ... oval:org.secpod.oval:def:1901510 Cross-site scripting vulnerability in admin/media.php and admin/media_item.php in Dotclear before 2.11 allows remote authenticated users to inject arbitrary web script or HTML via the upfiletitle or media_title parameter . oval:org.secpod.oval:def:1901294 Cross-site scripting vulnerability in admin/auth.php in Dotclear 2.12.1 allows remote authenticated users to inject arbitrary web script or HTML via the malicious user"s email. |
